Data Subject Rights

POSITION PAPER ON DATA SUBJECT RIGHTS

EDRi broadly welcomes the provisions in the Proposed Directive, which strengthen and clarify the rights of the data subject through measures aiming for greater accountability of the controller, in particular with respect to data subject’s right to information and right of access. There is, however, a number of provisions that should be amended in order to avoid any excessive restrictions on data subjects’ rights. EDRi believes that the level of protection afforded by the proposed Directive should be comparable to the level of protection foreseen by the proposed General Data Protection Regulation,

Modalities for exercising data subjects’ rights (Article 10)

(1) Our analysis:

Exercising one’s data protection rights is made easier under the proposed Regulation than under the proposed Directive. While the proposed Regulation requires controllers to have policies on data processing and to set up procedures for providing information on processing to data subjects and for exercising their rights, the proposed Directive only prescribes that the controller takes all reasonable steps to have such policies and procedures. This wording aims at limiting the responsibility of the controllers for not establishing procedures and policies that in practice are essential for data subjects to execute their rights. In consequence, the wording of Article 10(1) and 10(3) may lead to the rights of data subjects being conditional upon the assessment (made by the controller) whether it is reasonable or not to have necessary policies and to establish necessary procedures. EDRi believes that these requirements should be unconditional as they are the key to an effective exercise of data subjects’ rights.

Moreover, the provision on the controller’s reply to a data subject’s request (Article 10(4)) should provide for exact obligations of the controller and a determined deadline for the reply, akin to the corresponding Article 12 of the proposed Regulation. If a data subject is left without a reply for months, then their rights exercised through a request become meaningless.

Another issue that needs to be addressed is the possibility for data controllers not to take the action requested by the data subject if a request is “vexatious”, or to charge fees for taking requested actions (Article 10(5)). While the objective of this provision is justified as it seeks to prevent the abuse of rights, its wording has to be chosen carefully in order not to prejudice the legitimate exercise of data subject rights. This provision can be contrasted with its counterpart in Article 12(4) of the proposed Regulation, which only allows charging fees for “manifestly excessive” requests. In EDRi’s view, there is no reason why there should be a lower standard under the proposed Directive.

The above changes are necessary in order to truly allow data subjects to exercise their rights foreseen by the Directive.

(2) Our recommendations:

The words “take all reasonable steps” should be deleted from Article 10(1) and Article 10(3).

The controller should be obliged to reply to a data subject’s request in writing and sent within one month from the reception of the data subject’s request. The controller should also be required to inform the data subject whether or not any action has been taken following a data subject’s request (under the current wording of Article 10(4), it may appear that controllers should only reply if action is taken).

The wording of Article 10(5) should be brought in line with that of its peer Article 12(4) of the proposed Regulation: controllers should only be allowed to charge fees for taking the action requested by the data subject, or not to take the action requested, if requests are “manifestly excessive”, and not just “vexatious”. Moreover, the criterion of “the size of volume of the request” (based on which controllers may charge fees or not take the action requested at all) should be deleted, so that data subjects’ rights are observed regardless of the size or amount of data held by the controller.

Duty to provide information to data subjects and right of access (Articles 11-14)

(1) Our analysis:

In general, according to the proposed Directive, controllers are under a duty to provide information to data subjects and to allow them access to their data. Safeguarding these important principles deserves a merit. But comparing to the proposed Regulation, controllers may be less transparent and less responsive to requests, and slower to respond. In addition, the proposed Directive provides for very broad exemptions, which may render the fundamental right to data protection meaningless.

According to Articles 11 and 13, controllers’ duty to provide information to data subjects and data subjects’ access rights are subject to a significant carve-out that allows Member States to legislate to restrict these rights to the extent that such restriction is a necessary and proportionate measure in a democratic society with due regard for the legitimate interests of the person concerned, in order to satisfy one of five prescribed goals (e.g., to protect public security). Additionally, Member States may determine categories of data that are wholly or partly exempt under the above carve-out.

Delaying, restricting or omitting the provision of the information to the data subject as well as the total or partial restriction of the data subject’s right of access are allowed, for example, in order to protect public or national security. EDRi is concerned about the difficulty in distinguishing between these two categories, as well as the possibility of their broad interpretation. It should also be noted this wide carve-out means that, in practice, Article 12 will provide much weaker rights for data subjects than its equivalent measure under the proposed Regulation (Article 15), even if the language of the information to be provided is otherwise exactly the same.

(2) Our recommendations:

In principle EDRi welcomes an explicit reference to the test of necessity and proportionality. However, as it could be observed for example in the debate about mandatory telecommunications data retention, this concept remains susceptible to different interpretations depending on the legal culture and current political context. In this context EDRi recommends that Member States should be obliged to notify their proposals for legislative measures relying on this particular exemption to their data protection authority for consultation. Language should be added to Article 11 and 13 requiring that “any restriction must be in compliance with the Charter of Fundamental Rights of the European Union and the Convention for the Protection of Human Rights and Freedoms, and in line with the case law of the Court of Justice of the European Union and the European Court of Human Rights”. As an alternative, such language could be introduced in a recital, akin to Recital 59 of the proposed Regulation.

The power of Member States to completely exempt certain categories of data from the right of access by the means of legislative measures (Article 13(2)) should be removed. The possible restrictions in Article 13(1) are sufficient.

Similar considerations apply to Article 11(5).

The words “take all appropriate measures” should also be removed from Art 11(1), to unconditionally require controllers to provide the data subject with the types of information mentioned in this article.

In more general terms EDRi recommends that the amount and scope of exemptions provided for in the Proposed Directive should be reconsidered and limited in order to achieve similar standards of the protection of the data subject’s rights. Every single exemption has to be duly justified, while blanket and broad exemptions can not be accepted. Limitations of the rights of data subjects must be an exception to the general rule, and cannot become the rule itself.

Rights to erasure and rectification (Articles 15-16)

(1) Our analysis:

In the language of the proposed Directive, the rights to erasure and rectification of data are far more limited and more unclear than they are under the proposed Regulation. Article 15, dealing with the right to rectification, states that controllers may refuse to comply with data subject rectification request, but it does not give any grounds or conditions for that. According to Article 16, which deals with the right to erasure, controllers may refuse to comply with data subject erasure requests – but again, no grounds or conditions for refusal are formulated.

The proposed Regulation provides for a “right to be forgotten” that would require the controller to communicate any rectification/erasure carried out in accordance with a data subject’s request to each recipient to whom data have been disclosed, unless this is impossible or would involve disproportionate effort (Article 17(2) of the draft Regulation). The provision serves to protect data subjects’ rights in case their data are transferred to a third party. The Proposed Directive has no equivalent requirement. EDRi believes that a similar obligation should also apply in the law enforcement area, where it is crucial that data are not processed unlawfully. At the least, any rectification or erasure carried out by a controller should be communicated to all the data recipients, as is the case under Article 13 of the proposed Regulation. This would guarantee the accuracy of data.

Under Article 16(3), the controller has to “mark” the data instead of erasing them in specific, enumerated situations. However, what such “marking” actually means is not defined. In the corresponding Article 17(4) of the draft Regulation, the term “restricting processing” is used, which means that data can only be stored, and processed for a limited in very limited cases (e.g. for purposes of proof or for the protection of the rights of another natural or legal person). Moreover, under the draft Regulation data subjects are informed before the restrictions are lifted and processing resumes (Article 17(6)). Similar provisions should be introduced in the draft Directive.

(2) Our recommendations:

EDRi recommends that the conditions for refusal to rectify or erase data should be clarified. Controllers should not be able to deny rectification requests that are factually correct; similarly, they should not be able to deny erasure of unlawfully processed data.

An equivalent of Article 13 of the draft Regulation should be introduced, which would require controllers to communicate any rectification carried out in accordance with a data subject’s request to each recipient to whom data have been disclosed.

Article 16 (with regard to “marking” data instead of erasing them) should be brought in line with Article 17(5)-(6) of the draft Regulation – “marking” should be clearly defined or replaced by “restricting processing”. Also, data subjects should be informed before such marks are lifted and normal processing resumes.